salt.state.firewalld.present needs updating

[mepreston]

Is your feature request related to a problem? Please describe.
needs updating to better support firewalld V0.8.6
should be reviewed what needs to be added/changed to
support this version. For example a zone has
"Protocols" and salt will give a syntax error if you try
to use it.

Secondly it would be a nice enhancement if there was a new
state to "reload" the running instance instead of restarting the
env. see firewall-cmd --reload

A example zone listing from from firewalld:

firewall-cmd --list-all --zone=home

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols: ipv6-icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

It seems firewalld hasn't been updated in a few years so it is missing
features that exist in the current version. last update to doc was 2016.

Describe the solution you'd like
to support this syntax:

home:
  firewalld.present:
    - name: home
    - prune_services: True
    - interfaces:
      - enp1s0
    - protocols:
      - ipv6-icmp
    - services:
      - dhcpv6-client
      - mdns
      - ssh

which results in this error:
Passed invalid arguments: 'protocols' is an invalid keyword argument for 'firewalld.present'.

Describe alternatives you've considered
n/a

Additional context
firewall-cmd -V
0.8.6

Salt Version:
Salt: 3002.2

Please Note
If this feature request would be considered a substantial change or addition, this should go through a SEP process here https://github.com/saltstack/salt-enhancement-proposals, instead of a feature request.

[mepreston]

i've had major issues trying to use the states for firewalld and ipset. I could not add to the protocols nor rich-rules. I could not create a valid ipset either. when using test=True i discovered it would not report any errors but when i removed that the execution would fail. fedora releases a new major version every 6 months and i dont' think you are able to keep up with all the changes they make in these releases. one other note is the state.ipset doc page is basically useless and needs rewriting.

[mepreston]

Salt Version:
Salt: 3002.2

Dependency Versions:
cffi: 1.14.1
cherrypy: Not Installed
dateutil: 2.8.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.11.3
libgit2: 1.0.1
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.0
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: 2.20
pycrypto: 2.6.1
pycryptodome: 3.9.8
pygit2: 1.3.0
Python: 3.9.1 (default, Jan 20 2021, 00:00:00)
python-gnupg: Not Installed
PyYAML: 5.4.1
PyZMQ: 19.0.0
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.4

System Versions:
dist: fedora 33
locale: utf-8
machine: x86_64
release: 5.10.14-200.fc33.x86_64
system: Linux
version: Fedora 33

[Xaraxia]

I think the problem here is that ipset uses the iptables backend, but modern firewalld uses the nftables backend. If you add ipsets via firewalld it will add it to BOTH, but state.ipset is not doing that.

The best solution here is to support the firewalld ipsets so that it will work irrelevant of backend. But the alternative is to use the nft functionality instead, see https://wiki.archlinux.org/title/nftables#Sets